Hi all. I recently replaced my basic home wifi router with an OPNSense box. Things went mostly smoothly, but I quickly found out that certain online multiplayer games that use a P2P model (particularly GTA Online) were not happy. After a bit of research, I made a static port NAT rule for our two gaming computers and set up os-upnp, and that seemed to work. Both are able to play online simultaneously with other players, but the one thing we can't do is actually play together. When either of us attempts to join the other, it fails with a generic "Unable to connect to session".
In our setup, our ISP's provided router gives out private addresses (10.0.0.x), so that's what OPNSense's WAN interface gets. This is the same situation as the previous wifi router, which worked fine, so I know this is possible without changing the ISP router. I'm still fairly new getting into the nuts and bolts of NAT (and UPnP), so I'm not really sure how to troubleshoot this. I can say though that if one of us connects directly to the ISP router (bypassing OPNSense), we're able to play together successfully. Obviously that's not ideal.
The first of the two things I've changed is switching Outbound NAT to Hybrid and adding a rule for each machine:
Interface: WAN
Source: 192.168.1.x/32
NAT Address: WAN address
Static Port: Yes
The second thing was installing and configuring os-upnp (miniupnpd). Here's /var/etc/miniupnpd.conf. Note that the ext_allow_private_ipv4 line was added manually (and the service restarted) since it's not available in the UI. I think this was the last change that made online play work initially.
ext_ifname=igc1
ext_allow_private_ipv4=yes
http_port=2189
listening_ip=vlan06
ext_perform_stun=allow-filtered
ext_stun_host=stun.l.google.com
ext_stun_port=19302
secure_mode=yes
pcp_allow_thirdparty=no
ipv6_disable=yes
presentation_url=https://192.168.1.1/
friendly_name=OPNsense UPnP IGD & PCP
uuid=<uuid>
serial=60732055
model_number=26.1.8_5
allow 1024-65535 192.168.1.<x>/32 1024-65535
allow 1024-65535 192.168.1.<y>/32 1024-65535
deny 1-65535 0.0.0.0/0 1-65535
enable_upnp=yes
enable_pcp_pmp=yes
force_igd_desc_v1=yes
lease_file=/var/run/miniupnpd.leases
lease_file6=/var/run/miniupnpd.leases-ipv6
I haven't manually added any firewall rules for this. The only rules outside of the built-in rules for this internal interface are to drop IPv6, allow full access to the internet, and allow DNS, DHCP, and NTP to the OPNSense interface. If anyone can point me in a direction, it would be greatly appreciated.